So, You Want a Security Survey

In our security consulting practice we are often asked to conduct security surveys. We are also
asked to do security audits. Some clients ask for vulnerability assessments. Others ask for risk
analyses. Some of these clients do not realize they are asking for different things. Each of these
tools can be used to determine the "Why?" of a client's security program, before moving along to
the "How?" It is important to know the difference when contracting for a security consultation.

Security Survey
A security survey consists essentially of mapping existing systems or programs. Surveys involve
visiting a site or evaluating a process for obvious risks. There are pencil and paper checklists,
some simple, some complex. There are automated tools, most of them expensive. Some surveys
are published by professional organizations; others are intuitive assessments that draw upon a
lifetime of professional experience. In short, there are as many security surveys as there are
persons or firms willing to do them. Be certain you are paying for the survey you require.

Security Audit
A security audit is a means of measuring or testing existing programs against client
documentation or expectation. A common sort of audit is an access control study, where a person
tests the effectiveness of lobby visitor controls and the willingness of employees to violate a
building's access controls by granting access to strangers. Audits can also take the form of
documentation reviews or evaluation of security officer knowledge and competence.

Vulnerability Assessment
A vulnerability assessment determines the threat posed to critical assets, usually without regard
to the probability that an attack against the assets will occur. This can be a useful tool when
determining how to apply protection to assets we cannot afford to have damaged even though the
likelihood of an attack is low. Used by itself, sometimes a vulnerability assessment can result in
rather aggressive, or unrealistically expensive, security recommendations, since risk is not taken
into account. We are all equally vulnerable to the effects of a mile-wide asteroid striking Earth.
The likelihood it will happen is determined by risk analysis.

Risk Analysis
The classic risk analysis equation calls for a loss prevention survey and the identification of
vulnerabilities. Then one determines the probability, frequency and cost of loss. The product of
this calculation is the annual loss expectancy (ALE). This works better across a large
population-nationwide car theft rates, for example-or where losses are frequent, such as in the
case of shoplifting. An ALE calculation does not do us much good when we're trying to
determine whether we should worry about someone trying to blow up the Hoover Dam with a
truckload of stolen fertilizer. The reported rate of such attacks is zero, which results in an ALE of
zero.

Sandia National Laboratories Risk Assessment Methodology
Sandia National Laboratories, long a defender of high-value assets for the U.S government and
other nations, has lately turned its sights on protecting critical public infrastructure such as water
treatment facilities, dams, power transmission and chemical facilities. Their Community
Vulnerability Assessment Methodology is used to assess and reduce risk to public venues.
Sandia has reduced the risk analysis problem to an equation: R = PA(1-PE)C. The probability of
attack (PA) evaluates the existence of a threatening organization, its capabilities, it history or
expressed intention to harm similar clients or organizations, and whether the threat is targeting a
specific client. System effectiveness (PE) is tested using detailed adversary sequence diagrams to
determine the ability of the current protection and operating systems to detect, assess, delay and
neutralize its attackers. The consequence of an attack (C) calls for a facility characterization
using tools such as fault tree analysis and consequence tables to rank critical assets and the real-
life harm that will occur if an attack is successful.

Risk Management Strategies
Most clients end up requesting a blend of the services described above. The result is usually a
prioritized list of concerns. Once you understand your risks, what can be done about them?
There are several risk management strategies: avoidance, transfer, abatement, spreading and
assumption.

Avoidance means simply removing the target. Sometimes this is a reasonable approach, such as
stocking only the absolute minimum of high-risk inventory items, or having items drop-shipped
from the manufacturer directly to the end user. Sometimes-such as when a firm decides not to
do business in a certain neighborhood-it can constitute inappropriate, and even illegal "red
lining," which threatens to deny constituencies needed services.

Transfer is a term that in this context means insurance. We find, through insurance firms or
brokers, institutions willing to bet we will not suffer a loss. In exchange for being the beneficiary
of this bet, we pay an annual fee, our insurance premium. Most organizations use insurance to
mitigate risk. Most insurance companies or brokers insist their clients reduce the risk of loss
through abatement.

Abatement, also called loss prevention or mitigation, is where most security professionals ply
their trade. Risk is reduced through the thoughtful, timely and cost-effective application of
security architecture, systems, personnel, programs and employee involvement. Once you have
determined your risks, you may decide to develop or enhance your security policy and
procedures.

New programs may need to be developed to protect new initiatives. Crime prevention through
environmental design (CPTED) uses the built environment to enhance security for the intended
users of a space while increasing feelings of insecurity on the part of unwanted visitors. The
integrated implementation of security systems has a role to play in many properties. At some
sites, security personnel carry out security policy, procedures and programs. The final and most
important test of all security precautions is the degree to which employees are aware of and
support the program.

Spreading means distributing your assets to multiple locations where they cannot all be attacked
at once. This does not work for all businesses, but is an option for some.
Assumption is also called self insurance. Risk is dynamic. There is a trade off between the risk
of failure and the rewards of success. At some point, most businesses agree that risk has been
reduced sufficiently and that the remainder is accepted by the enterprise as the cost of doing
business. Business executives are frequently more comfortable with this concept than are most
security professionals.

You Get What You Pay For
You will certainly pay for your security consultation one way or another. Some security guarding
providers or security system integrators offer "free" consultation, but rest assured their time is
paid for from their overhead. There are some very good people working for these firms, but be
careful about asking a guard company whether you need guards, or asking a systems installer
how many security cameras you need. A brand- and vendor-independent consultant has no
product to sell, other than professional advice. Independent consultants sink or swim based upon
the value of the information they provide and the quality of the projects they manage.

Choosing Your Consultant
What experience does your consultant have? A career in law enforcement may, or may not,
translate into the ability to provide effective security consultation. Who are your prospective
consultant's references? What are your consultant's qualifications, certifications, and
credentials?

If fraud is the primary threat to your enterprise, a certified fraud examiner credentialed by the
Association of Certified Fraud Examiners (www.cfenet.com) may be right for you. If the security
of your information systems is at the top of your list, there are professionals who have attained
the Certified Information Systems Security Professional certification, a credential granted by the
International Information System Security Certifications Consortium (www.isc2.org), also
known as (ISC)2. If you need a security generalist, a certified protection professional-CPP-
board certified in security management by ASIS International (www.asisonline.org) may be what
you are looking for. ASIS International recently added two new certifications. The Professional
Certified Investigator credential is for experienced investigators. The Physical Security
Professional is a certification for physical security professionals.

A Final Word
Security is a process used to manage risk. If you have carefully determined your risk, the
effectiveness of your security program's response to it can be measured. Security has a real cost.
Prepare to spend your security dollar wisely; conduct a risk analysis before you begin to change
your security program.

Michael Brady, CPP, ABCP, is a senior consultant at SecuriCo Inc. (www.securico.com), a
consulting, system design and project management firm. He has more than two decades of
experience in corporate security and safety. Mr. Brady has completed the Sandia National
Laboratories Risk Assessment Methodology-Water Utilities and Community Vulnerability
Assessment programs. He is a member of the International Association of Professional Security
Consultants (www.iapsc.org) and has served as an instructor for the University of California
Santa Cruz Extension Security Management Certificate program.